Debit Card Breach Hits Ohio Credit Unions

A debit card fraud breach that began swarming Northeast Ohio in April is said to have affected tens of thousands of accounts and dozens of financial institutions, including at least seven credit unions.

The breach, which reportedly involved fraudsters who made purchases using counterfeit debit cards that contained stolen account information, follows several other significant attacks including a breach at Michaels stores that resulted in two lawsuits against the company and a compromise of Citigroup’s online banking platform that led to the exposure of more than 360,000 accounts.

The most recent spending sprees reportedly took place at retailers across the U.S. and in several other countries, and thieves stole as much as $4,000 from a single account.

According to police reports from the suburban North Olmsted Police Department, criminals made fraudulent purchases from six accounts at the $311 million Century Federal Credit Union, Cleveland; two accounts at the $180 million Firefighters Community Credit Union, Cleveland; two accounts at the $100 million PSE Credit Union, Parma, Ohio; one account at the $36 million Steel Valley Federal Credit Union, Cleveland; and one account at the $180 million GenFed Credit Union, Akron.

Century FCU President/CEO Tony Coniglio told Credit Union Times that more than just six of his members were affected. The CU has received reports of fraud from about 200 of its 26,000 members to date. “This is very unusual, and it’s the first time it’s happened to us.”

Cleveland’s The Plain Dealer newspaper listed two other credit unions that were hit by the breach: The $34 million First Class Credit Union, Cleveland (formerly Cleveland Postal Employees Credit Union) and the $98 million Best Reward Credit Union, Walton Hills.

Best Reward Credit Union President/CEO John Shirilla said he could not confirm a breach at his institution. “All I know for a fact is that we did not suffer a breach, and I’m assuming that our name ended up in the paper because it was listed on a police report,” Shirilla said.

Ohio Credit Union League spokesman Patrick Harris said the league has reached out to each reportedly affected CU to offer support, but so far, not one of them has requested assistance.

“Right now, their main focus is to continue making sure that their members are protected,” Harris said. “The affected credit unions have contained their fraud losses, for example by canceling debit cards and issuing new cards.”

At this time, the source of the breach is unclear, but criminals reportedly obtained account numbers through a retailer and then created counterfeit debit cards to make purchases, Coniglio said.

Police reports stated that fraudulent purchases took place at a number of large retailers, including Target, Wal-Mart, Best Buy, Belk’s and Victoria’s Secret. Purchase amounts range from $1.50 at a Pepsi retailer to $747.50 at a Victoria’s Secret. One Century FCU account suffered a loss of around $721, and fraudsters took about $934 from one PSE CU account, according to reports.

The Cleveland Electronic Crimes Task Force, a division of the U.S. Secret Service, is investigating the debit card fraud case, Smokey Everett, special agent in charge, told Credit Union Times.

The Ohio Credit Union League took the news as an opportunity to further voice its opposition to Sen. Sherrod Brown’s (D-Ohio) June 8 vote against an amendment that would have delayed the Federal Reserve’s effort to cap debit card interchange fees charged to retailers.

Harris said the league sent Brown a copy of The Plain Dealer article to demonstrate how credit unions can suffer in instances of debit card fraud.

“This is another example of how the burden falls on the financial institution and not the retailer,” Harris said.

Meanwhile, concerns over data security continue to be raised in Congress. This month, the House Energy and Commerce Committee proposed a bill called The Secure and Fortify Data Act, which would require companies that suffer a data breach to notify consumers and the Federal Trade Commission within 48 hours.

CUNA has said it supports charging retailers for any costs incurred by financial institutions due to a data breach as well as requiring institutions to notify its accountholders of a breach. CUNA said doing so would allow credit unions to inform affected individuals while continuing to protect their reputations.